I have to admit I struggle to understand why SSL is one of the weirdest and most difficult things I get stuck configuring about 2 or 3 times a year.  Today I was trying to see a private key as I had a REN server that would not boot properly after a new SSL certificate was installed and I wanted to compare the key that was getting loaded by REN with what I had in my certificate.

It turns out that I had done something very similar a few weeks ago, but in reverse, and I posted this blog on it.

This time in order to see the private key, you have to take the jks keystore and convert it to a p12 keystore, and then export the private key. Again nothing ever is easy with SSL, so this requires two tools:  keytool and openssl.  You can get openssl from the great folks at sourceforge – click here.

First the conversion from jks to p12:

keytool -v -importkeystore -srckeystore keystore.jks -srcalias certificatekey -destkeystore myp12file.p12 -deststoretype PKCS12

Secondly, now that you have the p12 keystore you can extract the private key:

openssl pkcs12 -in myp12file.p12 -out private.pem

When configuring your PeopleSoft environment to use Integration Broker using a secure gateway, sometimes you will get a messaging telling you that the gateway connectors cannot be loaded.  If you use the http:// address it will work but as soon as you use the https:// link it fails to load.

If you check the application server logs, you will most likely find a message:

PSJNI: Java exception thrown: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Server Certificate Chain

This is assuming that you have the SSL certificate installed in the keystore correctly and you are able to get to the PIA site using the https address without issue.  The root certificate associated with your SSL certificate is not in the certificates stored within PeopleSoft.  If you navigate to:  PeopleTools > Security > Security Objects > Digital Certificates, you can click on a + link and select a root ca, and then give it a description, refresh the page and then click on the import link, next you need to insert your certificate data for each root certificate.  There are several ways to get the root ca certificate, just note that you may need to insert the intermediate certificates as well.

I love to use the wildcard certificates that you can get from providers like godaddy.  However, there is a serious problem once you create your CSR and generate your certificate and import it into your keystore.  It works great on this system, but I just said it is a wildcard certificate!  So when I go to my next system and I want to use the same certificate what am I to do, if I generate a new CSR it will revoke my other servers certificate.  I need the private key from the original certificate and I haven’t found a nice way to make that in PeopleSoft yet.

I had a client give me their wildcard certificate in a pkcs12 (pfx) format which PeopleSoft does not like at all.  However I find this great command that will take the pfx certificate and convert it into its own JKS keystore.  This works awesome, all I need to do is import the root and intermediate certificates into the keystore which are almost always available from the certificate provider and now I have a keystore that works within PeopleSoft and once I assign the keystore and assign the alias within the weblogic console, I am ready to go!

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS

I found that I can create a keystore and a new private key / CSR using Portecle which is a great tool for working with keystores. Once I create a new CSR and use the CSR to generate a wild card certificate, I import the certificate into the keystore and import the root and intermediate certificates into the keystore and then save the keystore in JKS format, and I am good to go! Put the new keystore into the keystore folder within your PIA site ({domain}\piaconfig\keystore). Next you need to go into your weblogic console and set the PIA domain to accept the new keystore and assign the alias from the keystore for the SSL certificate.

In working with a new site, I was installing a new certificate into the system and everything appeared fine until I tried to install the actual certificate.  I received the error:

keytool error: java.security.cert.CertificateException: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.

As it turned out, I had an extra blank line at the end of the import file. These extra characters at the end of the certificate file causes the “parser” to interpret as the start of another certificate. So make sure that there is nothing after the “—–END” line.

Linux is a great platform that has many advantages over a windows based platform, and one of those advantages is PGP (Pretty Good Privacy) available on a base install. In 1991 Phil Zimmermann created the first version of PGP encryption which allows for cryptographic privacy and authentication for data communication. It is widely used for securing email, but can be used to secure texts, files, directories, hard drives, and is now being used to encrypt entire computer systems.

To use PGP, you need to create or import a certificate into the keystore. The keys can be in DSA or RSA formats and have lengths of 1024 to 4096 bits on most systems. The certificates can also be set to never expire or be set to expire within a certain timeframe.

To List Keys in the Keystore:
pgp –list-keys

To Generate a new key:
gpg –gen-key

To Import an existing key:
gpg –import ~/keyfilename.gpg

To Import an existing key secret key:
gpg –allow-secret-key-import –import ~/secretkeyfilename.gpg

When you need to export the data, you will need to remember that there is two parts to the key, the public key, and the secret key. When a client wants to encrypt data for you they will require the public key.

To Export an existing key and secret key:
gpg –output keyfilename_public.gpg –armor –export keyname
gpg –output keyfilename_secret.gpg –armor –export-secret-key keyname

To Encrypt/Decrypt a file, remember the passphrase used, if forgotten your data will remain encrypted forever.

To Encrypt a file:
gpg -c filenametoencrypt (you will be asked for the passphrase to encrypt with).
Non-Interactive:
gpg –yes –passphrase={YourPassPhrase} -c filenametoencrypt

To Decrypt a file:
gpg filenametodecrypt (you will be asked for the passphrase used to encrypt with).
Non-Interactive:
gpg –yes –passphrase={YourPassPhrase} filenametodecrypt